b"                      Securities and Exchange\n                           Commission\n\n                             Office of Inspector General\n\n\n                                         Executive Summary\nDuring this reporting period (October 1, 2000 to March 31, 2001) the Office of Inspector\nGeneral (Office) issued seven audit reports, one investigative memorandum on management\nissues, and one audit memorandum. These documents focused on disgorgements; the\nCommission\xe2\x80\x99s Integrity Programs; the Freedom of Information Act (FOIA) process; general\ncomputer controls; the distribution of mail; administrative practices in the Central Regional\nOffice; the use of personal resources; and print shop supplies. The Audit Program section below\ndescribes this work further.\nTwelve investigations were closed during the period. Three subjects were referred to the\nCommission; one case was referred to the Department of Justice. During the period, two\nsubjects referred during a prior period resigned. Eight subjects, referred to Commission\nmanagement during this and prior periods, are awaiting disposition. The Investigation Program\nsection below describes the significant cases further.\nIn this period, we are reporting controls over disgorgement1 waivers as a significant problem,\nbased on our audit. During the audit, the Division of Enforcement began taking actions to\nimprove the waiver process. It has issued written procedures, hired a firm to provide improved\ndatabases, and hired a contractor to evaluate and make recommendations concerning its\nprocedures. We commend the Division on taking prompt action to strengthen the controls.\nIn a previous period, we also reported the custody of sensitive information as a significant\nproblem. Since then management has established a task force to implement corrective actions,\nissued an agency-wide policy, and hired a consultant to assist in a comprehensive review of the\nmatter. The Commission recently received the consultant\xe2\x80\x99s final report and recommendations.\nThe task force has identified the most significant recommendations, and the Commission has\nbegun implementing them. We recently began a follow-up audit on the controls over sensitive\ninformation\n\n1\n    Disgorgements represent ill-gotten gains (or losses avoided) resulting from individuals violating the federal securities\n     laws. The Commission seeks disgorgement to ensure that securities law violators do not profit from their illegal\n     activity. When appropriate, the disgorged funds are returned to the injured investors.\n\x0c                                                                                         Page           2\n\nWe also previously identified information resources management as a significant problem.\nAlthough the Commission has taken many positive steps to improve the management of\ninformation (e.g., integrating information technology planning, budgeting, and performance\nmeasurement process, linking plans and budgets to the Commission\xe2\x80\x99s mission and strategic\ndirection) information resources management, as a whole, remains a significant concern.\nWe believe that the Commission is making progress in the right direction (i.e., full compliance\nwith requirements of the Clinger-Cohen Act). However, many pending management actions\nneed to be completed to implement the operational, procedural, and policy recommendations\nmade in prior audits. We performed a review of general computer controls and a risk\nassessment of information technology this period. We intend to maintain our oversight of the\nCommission\xe2\x80\x99s management of information resources (including performing a business process\nreview of the IT capital investment decision-making process).\nAnother previously reported significant problem involves lack of adequate controls over the\ncollection of fees. Since first reported, statutory changes have eliminated many of the fees most\nat risk. Moreover, Commission management has made significant progress in correcting the\nmost serious weaknesses. However, final corrective actions are awaiting the implementation of\na new computerized filing fee collection system.\nNo management decisions were revised during the period. The Office of Inspector General\nagrees with all significant management decisions regarding audit recommendations.\n\n\n\n                                             Audit Program\nThe Office issued seven audit reports, one investigative memorandum on management issues,\nand one audit memorandum during the reporting period. These documents contained a total of\n74 recommendations, which are further described below. Management concurred with most of\nthe recommendations.\n\n\nDISGORGEMENTS (AUDIT 311)\nDisgorgements represent ill-gotten gains (or losses avoided) resulting from individuals violating\nthe federal securities laws. The Commission seeks disgorgement to ensure that securities law\nviolators do not profit from their illegal activity. When appropriate, the disgorged funds are\nreturned to the injured investors.\nDisgorgements can be ordered in either administrative proceedings or civil actions, and the cases\ncan be settled or litigated. Payment of disgorgements can be either completely or partially\nwaived based on the defendant demonstrating an inability to pay.\n\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                       AP R I L 3 0 , 2 0 0 1\n\x0c                                                                                         Page           3\n\nIn settled administrative proceedings, Enforcement may recommend, if appropriate, that the\ndisgorgement be waived. The Commission makes the final decision. In civil actions, any\nsettlement agreed to by the Commission must be approved by the district court.\nOur audit objectives were to determine if the management controls over waivers of\ndisgorgements and identification of investors in disgorgement plans were effective in achieving\ntheir objectives and efficient. In addition, we determined compliance with Commission Rule\n201.612(c) governing whether disgorgements are paid to the injured investors or the U.S.\nTreasury.\nWe found that improvements could be made to the waiver process to achieve greater assurance\nthat waivers were justified. The Division of Enforcement concurred and, during the audit, began\ntaking actions with a view to improving the waiver process. It has issued written procedures\nrelating to the waiver process, hired a firm to provide improved databases, and hired a contractor\nto help evaluate and make recommendations concerning its procedures.\n\n\nINTEGRITY PROGRAMS (AUDIT NO. 313)\nWe evaluated the effectiveness of the Commission\xe2\x80\x99s integrity programs (i.e., the ethics program\nin the Office of General Counsel and Personnel\xe2\x80\x99s staff conduct program). The review was a\nfollow-up to two audits performed in 1996-97 (Audit Nos. 250 and 267).\nSuccesses, obstacles, recommendations, and effectiveness ratings related to the Commission\xe2\x80\x99s\nintegrity objectives were obtained through twenty-two workshops involving approximately eight\nper cent of Commission employees. Composite ratings were consistent with the previous audit\nresults. Indications are that all supporting objectives are generally being implemented. We\nbelieve that, taken as a whole, the Commission is achieving its primary objective to promote\nhigh individual and agency integrity.\nWith almost no exceptions, the workshop participants indicated that they felt a personal sense of\nresponsibility for maintaining the integrity of the Commission. There were no material control\nweaknesses identified during the workshops. It is evident from all available evidence that\nCommission employees place a high premium on ethical integrity.\nThe participants in the workshops made a number of comments and suggestions for\nimprovement. We shared many of them with management. We made two audit\nrecommendations to improve staff access to integrity guidance and to notify staff seeking ethics\ncounseling of confidentiality limitations.\n\n\nFOIA PROCESS (AUDIT 318)\nThe Freedom of Information and Privacy Act Branch, in the Office of Filings and Information\nServices (Branch), processes Freedom of Information Act (FOIA) requests for agency records.\nThe Branch includes approximately eighteen staff. It received 2,985 requests in FY 1999.\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                       AP R I L 3 0 , 2 0 0 1\n\x0c                                                                                         Page           4\n\nThe audit objective was to evaluate the Commission\xe2\x80\x99s compliance with the Freedom of\nInformation Act in processing requests and determine whether processing improvements were\nneeded. We did not address the Privacy Act during this audit.\nThe Freedom of Information Act requests that we reviewed appeared to be processed generally\nin compliance with the FOIA.\nIn FY 2000, the Branch continued its efforts to acquire a new tracking system for FOIA requests,\ncompleted a new training manual for its staff, updated the Commission\xe2\x80\x99s FOIA regulations, and\nconducted a conference for Headquarters and field office FOIA liaisons.\nAlso, the Branch addressed several matters that we noted during the audit. We found that staff\npasswords for the FOIA tracking system were provided in the users\xe2\x80\x99 guide, a risk to the security\nof the tracking system. The FOIA/PA Officer promptly had the passwords changed. Also, the\nOfficer coordinated with the Commission\xe2\x80\x99s Webmaster to add a link on the Commission\xe2\x80\x99s home\nweb page to its FOIA web page. In addition, the Officer requested the capability to run ad hoc\nreports from the current FOIA tracking system. These actions demonstrate the Branch\xe2\x80\x99s\ncommitment to enhancing its operations.\nTo further enhance FOIA request processing, we recommended that the Branch: notify\nrequesters of their appeal rights in responses indicating that no records were found; always notify\nrequesters when their requests will take longer than 20 business days to process: clarify language\nin response letters; require fee agreement in initial FOIA requests; improve documentation of\nsearches and fees assessed; link information to the FOIA web page; and improve maintenance of\nthe FOIA request files.\n\n\nGENERAL COMPUTER CONTROLS (AUDIT 320)\nThe Office of Inspector General sought to determine whether the general controls over the\ninformation systems of the Commission's Office of Information Technology (OIT) were\neffective. The OIG contracted with Tichenor & Associates, an independent CPA firm, to\nperform a review of the general controls over information technology (IT) planning and\norganization, data processing operations, physical and logical access to IT assets, program\nchange controls, and other data processing related activities.\nThe review disclosed that the general controls over information systems were generally effective\ndue to the Year 2000 (Y2K) moratorium on changes to the production environment and the\ncomprehensive review and clean up of information systems and technology associated with Y2K\ncompliance and certification efforts. However, while OIT has devoted much effort to improving\nand aligning agency and information technology plans, re-structuring the OIT, improving staff\ncore competencies, and developing a comprehensive configuration management infrastructure,\nsignificant improvements must be made for SEC to continue to rely on the general controls over\ninformation systems. Specifically, improvements are needed in the areas of:\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                       AP R I L 3 0 , 2 0 0 1\n\x0c                                                                                            Page           5\n\n              \xe2\x80\xa2    Policies and procedures related to approval and implementation of configuration\n                   change control;\n              \xe2\x80\xa2    Policies and procedures related to OIT oversight of project deliverables;\n              \xe2\x80\xa2    Segregation of duties between the systems software, configuration management,\n                   user access administration, and production control functions;\n              \xe2\x80\xa2    Security planning for controlling and administering user access to applications;\n                   and\n              \xe2\x80\xa2    Performance, problem and compliance reporting.\n\n\nThe report made recommendations to improve these areas. It found that OIT management was\naware of many of these conditions and had already implemented improvements in some areas.\nHowever, OIT management acknowledged that they are still working on the evolving\nconfiguration control structure and the required supporting policies, procedures and automated\ntools.\n\n\nDISTRIBUTION OF MAIL (AUDIT 324)\nThe General Services Administration (GSA) issued guidance to agencies on Federal Mail\nManagement (41 Code of Federal Regulations, 101-9). The guidance requires the agency head\nto designate a mail manager.\nCommission mail policies and procedures are described in the Mail Management regulation\n(SECR 22-1). The Branch Chief of Publishing in the Office of Administrative and Personnel\nManagement is the Commission's mail manager. Approximately 15 staff and a supervisor\nhandle day-to-day distribution of mail in headquarters.\nOur review of the distribution of mail found that it generally complied with applicable guidance\nand was cost effective. We made several recommendations to enhance mail management,\nincluding: considering additional automation; promoting efficient use of express mail methods;\nissuing updated mail guidance; establishing a mail site on the Intranet; and providing additional\ninformation to mail room staff.\n\n\nGENERAL COMPUTER CONTROLS - REGIONS (AUDIT 327)\nThe OIG contracted with Tichenor & Associates, an independent CPA firm, to perform a review of the\ngeneral controls over data processing in the regions. The objective of the review was to determine\nwhether the controls are in place and effective, and can be relied upon by the OIG in assessing the\nvalidity and reliability of data from SEC computer-based systems. The scope of the review\nincluded both mainframe and server general controls.\nBased on the review, Tichenor determined that the Office of Information Technology (OIT) has\ndevoted much effort to improving and aligning SEC information technology plans. However, it\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                          AP R I L 3 0 , 2 0 0 1\n\x0c                                                                                           Page           6\n\nidentified further improvements, which must be made for the Commission to continue to rely on\nthe general controls. Specifically, improvements are needed in the areas of:\n              \xe2\x80\xa2    Implementing technology with proper testing and approval;\n              \xe2\x80\xa2    Communication between the OIT Technical Liaison and regional management on\n                   information technology plans and issues;\n              \xe2\x80\xa2    Development of regional IT-related procedures and automated processes;\n              \xe2\x80\xa2    Increased reliance on the Help Desk for problem resolution by the regions; and\n              \xe2\x80\xa2    Storage and retrieval of data stored on workstations.\n\n\nOIT management was aware of many of these conditions and has already implemented\nimprovements in some areas.\n\n\nCENTRAL REGIONAL OFFICE (AUDIT NO. 328)\nThe Central Regional Office exercises a broad range of financial and administrative functions,\nincluding maintaining time and attendance records; procuring supplies and services; arranging\nfor staff travel; maintaining an inventory of property; and recording budgeted and actual\nexpenditures of the office.\nThe Office of Inspector General conducted a limited audit of the financial and administrative\ninternal controls of the office. The purpose of the audit was to provide the Commission with\nnegative assurance that the internal controls were adequate, being implemented economically\nand efficiently, and in compliance with Commission polices and procedures. The audit\nprocedures were limited to analyzing representations made by staff, reviewing supporting\ndocumentation, and conducting some tests of transactions.\nDuring the limited audit described above, no material weaknesses in the internal control structure\ninvolving financial and administrative functions came to our attention. Some minor problems\nwere verbally discussed with management. The office concurred with these findings and is\nimplementing our suggestions.\n\n\nUSE OF PERSONAL RESOURCES (INVESTIGATIVE MEMORANDUM\nON MANAGMENT ISSUES G317)\nA recent investigation in a district office disclosed that a manager in the office used personal\nresources for Commission business, including office furniture and equipment; computer\nconsulting services performed in the office; and training for office staff.\nThe manager also connected his personally owned computer to the Commission's network, and\nused an office analog line to access his personal Internet account. When we informed the\nAssociate Executive Director of the Office of Information Technology (OIT), he ordered that the\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                         AP R I L 3 0 , 2 0 0 1\n\x0c                                                                                         Page           7\n\nmanager\xe2\x80\x99s computer be disconnected from the network because it represented a potential\nsecurity threat.\nWe recommended that the Office of General Counsel (OGC) consult with other relevant offices\nto determine whether the manager's actions constituted an improper augmentation of\nappropriated funds, and to decide on the appropriate disposition of the personal property in the\ndistrict office.\nBased on OGC's consultations and its own analysis, OGC determined that no improper\naugmentation of appropriated funds occurred. However, it indicated (1) that the manager should\nacknowledge in writing that the loaned furniture, equipment, and other services procured with\nhis own funds were rendered gratuitously with no expectation of reimbursement, and (2) the\npersonal property at issue should be removed prior to, or at the time of, the departure of the\nmanager from the Commission.\nWe also recommended that OIT, in consultation with the Office of Administrative and Personnel\nManagement, issue additional guidance to Commission employees on the use of personal\nresources (including computers and Internet Service Provider accounts) in combination with\nCommission computer and telecommunication resources. The guidance should cover security\nconsiderations, describe if and when such combinations are allowed, and set forth approval\nprocedures.\n\n\nPRINT SHOP SUPPLIES (AUDIT MEMORANDUM M21)\nThe print shop orders supplies quarterly after receiving a budget allocation. Supplies are kept in\nthe print shop and in a caged storage area of the parking garage (OAPM plans to install a\nsecurity camera for this caged area).\nThis memorandum made recommendations to improve controls over print shop supplies, based\non a recent incident there. A print shop manager noticed that over half of the toner for the color\ncopier was missing from the print shop supply room. He estimated its value between $7,000 and\n$10,000 on the incident report. In addition, several other items were missing.\nWe recommended that the Office of Administrative and Personnel Management periodically\nchange the combination lock on the supply room door, and provide the combination only to\nselected employees. We also recommended that OAPM maintain perpetual inventory records of\ntoner for the color copier, and periodically compare these records to toner on hand to identify\nand resolve discrepancies.\n\n\n\n                                     Investigative Program\nTwelve investigations were closed during the period. Three subjects were referred to the\nCommission; one case was referred to the Department of Justice. During the period, two\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                       AP R I L 3 0 , 2 0 0 1\n\x0c                                                                                          Page           8\n\nsubjects referred during a prior period resigned. Eight subjects, referred to Commission\nmanagement during this and prior periods, are awaiting disposition. The most significant cases\nclosed during the period are described below.\n\nUNAUTHORIZED DISCLOSURE OF NONPUBLIC INFORMATION\nThe Office investigated an allegation that a Commission employee may have leaked nonpublic\ninformation concerning an ongoing investigation to a member of the press. The evidence\nobtained during our investigation failed to substantiate the allegation. We interviewed numerous\nstaff members who had access to the nonpublic information. All denied making any\nunauthorized disclosures of that information. We also learned that the reporter in question had\nstated that the source of the information was not a Commission employee.\n\n\nPOST-EMPLOYMENT VIOLATION\nThe Office developed evidence that a former Commission staff member may have violated a\nfederal conflict of interest statute by working for a special master in a matter the employee had\nworked on while employed by the Commission. We also obtained evidence that the staff\nmember had continued to work on the matter while still employed by the Commission after\naccepting an offer of employment with the special master. The Department of Justice declined\nprosecution.\n\n\n\n\n                                      Significant Problems\n\nDISGORGEMENTS\nIn this reporting period, we completed an audit of disgorgements (Audit No. 311, described\nabove). We found that improvements could be made to the waiver process to achieve greater\nassurance that waivers were justified.\nThe Division of Enforcement concurred and, during the audit, began taking actions to improve\nthe waiver process. It has issued written procedures relating to the waiver process, hired a firm to\nprovide improved databases, and hired a contractor to help evaluate and make recommendations\nconcerning its procedures. We commend the Division on taking prompt action to strengthen the\ncontrols.\nWe intend to monitor the Division\xe2\x80\x99s actions to improve the waiver process.\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                        AP R I L 3 0 , 2 0 0 1\n\x0c                                                                                         Page           9\n\n\n              Significant Problems Identified Previously\n\nSENSITIVE INFORMATION\nIn a previous period, we reported the custody of sensitive information as a significant problem.\nSince then, management established a task force to implement corrective actions, issued agency-\nwide policy, and hired a security consultant to assist in a more comprehensive review of overall\nsecurity.\nThe Commission has received the consultant\xe2\x80\x99s final report and recommendations. The task force\nhas identified the most significant recommendations, and the Commission has begun\nimplementing them. We recently began a follow-up audit on certain controls over sensitive\ninformation.\n\n\nINFORMATION RESOURCES MANAGEMENT\nWe previously identified information resources management as a significant problem based on\nprior audits, investigative work, and management studies that identified significant weaknesses\nin many aspects of the Commission\xe2\x80\x99s management of information resources. Since then, the\nCommission has taken many positive steps to improve the management of information resources\nthroughout the Commission.\nAlthough the Commission has made significant progress in complying with requirements of the\nClinger-Cohen Act, many pending audit recommendations need to be implemented. During this\nperiod, we completed reviews of the Commission\xe2\x80\x99s general computer controls (see above), and\nconducted a risk assessment of information resources management. We also initiated a business\nprocess review of the IT capital investment decision-making process.\nIn future periods, we intend to maintain our oversight of the Commission\xe2\x80\x99s management of\ninformation resources.\n\n\nCOLLECTION OF FILING FEES\nStarting in 1996, we have identified the Commission\xe2\x80\x99s collection of filing fees as a significant\nproblem. Since then statutory changes have eliminated many of the fees most at risk. Moreover,\nCommission management has made significant progress in correcting the most serious\nweaknesses. However, final corrective actions are awaiting the implementation of a new\ncomputerized filing fee collection system.\nThe strengthening of automated controls, related to filing fee collection, has been awaiting\nmodernization of the EDGAR system (which receives and disseminates filings from public\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                       AP R I L 3 0 , 2 0 0 1\n\x0c                                                                                         Page 10\n\ncompanies). EDGAR Release 7.5, scheduled for May 2001, and EDGAR Release 8.0, scheduled\nby the end of the fiscal year, are planned to implement a new filing fee collection system. The\nnew system is designed to contain adequate financial controls. Until then, the overall control\nstructure continues to fail to provide adequate accountability over filing fees.\n\n\n\n                                     Access to Information\nThe Office of Inspector General has received access to all information required to carry out its\nactivities. No reports to the Chairman, concerning refusal of such information, were made\nduring the period.\n\n\n\n                                              Other Matters\n\nEXECUTIVE COUNCIL ON INTEGRITY AND EFFICIENCY\nThe Office actively participates in the activities of the Executive Council on Integrity and\nEfficiency (ECIE). The Inspector General attends ECIE meetings, is an active member of its\nFinancial Institutions Regulatory Committee, and serves as the ECIE member of the Integrity\nCommittee established by Executive Order No. 12993.\nThe Counsel to the Inspector General is an active member of the PCIE Council of Counsels. The\nCouncil considers legal issues relevant to the Inspector General community.\n\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                       AP R I L 3 0 , 2 0 0 1\n\x0c                                                                                          Page 11\n\n\n\n\n                                          Questioned Costs\n                                                                             DOLLAR VALUE\n                                                                            (IN THOUSANDS)\n\n                                                                    UNSUPPORTED               QUESTIONED\n                                                           NUMBER     COSTS                     COSTS\nA          For which no management decision has\n           been made by the commencement of the\n           reporting period                                     0           0                            0\n\nB          Which were issued during the reporting\n           period\n                                                            0           0                            0\n\n           Subtotals (A+B)                                      0           0                            0\n\nC          For which a management decision was                  0           0                            0\n           made during the reporting period\n\n    (i)    Dollar value of disallowed costs                     0           0                            0\n\n    (ii)   Dollar value of costs not disallowed                 0       0                                0\n\nD          For which no management decision has                 0       0                                0\n           been made by the end of the period\n\n           Reports for which no management                      0       0                                0\n           decision was made within six months of\n           issuance\n\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                        AP R I L 3 0 , 2 0 0 1\n\x0c                                                                                     Page 12\n\n\n\n\n    Recommendations That Funds Be Put To Better Use\n                                                                       DOLLAR VALUE\n                                                            NUMBER    (IN THOUSANDS)\nA               For which no management decision has\n                been made by the commencement of the\n                                                                  0              0\n                reporting period\nB               Which were issued during the reporting\n                period\n                                                              0              0\n\n                Subtotals (A+B)                                   0              0\nC               For which a management decision was               0              0\n                made during the period\n      (i)       Dollar value of recommendations that were         0              0\n                agreed to by management\n            -   Based on proposed management action               0              0\n            -   Based on proposed legislative action              0              0\n      (ii)      Dollar value of recommendations that were         0              0\n                not agreed to by management\nD               For which no management decision has\n                been made by the end of the reporting\n                                                                  0              0\n                period\n                Reports for which no management decision\n                was made within six months of issuance\n                                                                  0              0\n\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                  AP R I L 3 0 , 2 0 0 1\n\x0c                                                                                        Page 13\n\n\n\n\n                Reports with No Management Decisions\n         Management decisions have been made on all audit reports issued before the beginning\n         of this reporting period (October 1, 2000).\n\n\n\n                          Revised Management Decisions\n         No management decisions were revised during the period.\n\n\n\n    Agreement with Significant Management Decisions\n         The Office of Inspector General agrees with all significant management decisions\n         regarding audit recommendations.\n\n\n\n\nS E C U R I T I E S & E X C H AN G E C O M M I S S I O N                      AP R I L 3 0 , 2 0 0 1\n\x0c"